From 3d932709abd0b5390efe67451653fc9efa9db677 Mon Sep 17 00:00:00 2001 From: Jonathan Gallimore Date: Fri, 23 Oct 2020 01:16:50 +0100 Subject: [PATCH] Fix #2589 (#2901) Co-authored-by: Tatu Saloranta --- release-notes/CREDITS-2.x | 5 +++++ release-notes/VERSION-2.x | 4 ++++ .../fasterxml/jackson/databind/ext/DOMDeserializer.java | 8 ++++++++ 3 files changed, 17 insertions(+) diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x index 5e92884c1b..bfaa5eb3fd 100644 --- a/release-notes/CREDITS-2.x +++ b/release-notes/CREDITS-2.x @@ -872,3 +872,8 @@ Kaki King (kingkk9279@g) Jon Anderson (Jon901@github) * Reported #2544: java.lang.NoClassDefFoundError Thrown for compact profile1 (2.9.10.2) + +Bartosz Baranowski (baranowb@github) + * Reported #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent + external entity expansion in all cases + (2.9.10.7) diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index d29d8196ce..ffbad878f3 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -6,6 +6,10 @@ Project: jackson-databind 2.9.10.7 (not yet released) +#2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent + external entity expansion in all cases + (reported by Bartosz B) + #2854: Block one more gadget type (javax.swing, CVE-2020-xxx) (reported by Yangkun(ICSL)) diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java index 74bc18da7b..e7c72ff98d 100644 --- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java +++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java @@ -39,6 +39,14 @@ public abstract class DOMDeserializer extends FromStringDeserializer // 14-Jul-2016, tatu: Not sure how or why, but during code coverage runs // (via Cobertura) we get `java.lang.AbstractMethodError` so... ignore that too } + + // [databind#2589] add two more settings just in case + try { + parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + } catch (Throwable t) { } // as per previous one, nothing much to do + try { + parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + } catch (Throwable t) { } // as per previous one, nothing much to do DEFAULT_PARSER_FACTORY = parserFactory; }